Loading article…
Injective Labs supply‑chain breach exposed a malicious @injectivelabs/sdk‑ts 1.20.21 npm release that stole wallet keys; 310 downloads reported, zero confirmed
A malicious version of the @injectivelabs/sdk‑ts npm package (v1.20.21) was published after a GitHub compromise, and security firm Socket says it was downloaded 310 times before removal, prompting urgent key‑rotation warnings for developers [1].
| At a glance | |
|---|---|
| Package version | @injectivelabs/sdk‑ts v1.20.21 |
| Weekly downloads (legitimate) | ~50,000 |
| Reported malicious downloads | 310 |
| Catalyst | GitHub repo breach and malicious commit on June 8 |
Threat actors gained access to the official Injective Labs GitHub repository and pushed a poisoned release of the SDK package on July 9, 2026. The malicious code hijacked wallet‑key‑derivation functions, captured private keys and seed phrases, and exfiltrated them via a forged telemetry request that mimicked an Injective network server [1][3]. Because the SDK is a core dependency for many downstream packages, the compromise spread across 17 related packages in the Injective Labs scope, potentially affecting developers who never installed the SDK directly [1].
Socket reported that the compromised package was downloaded 310 times before it was removed, while Injective Labs publicly stated that “zero downloads” occurred and that the issue was patched immediately [1]. No on‑chain theft has been confirmed, and the project’s CEO emphasized that no funds on the Injective network are at risk [1]. Nonetheless, the incident highlights the growing threat of software supply‑chain attacks, which the Security Alliance noted as the most costly vector in H1 2026, with $444 million stolen across 33 incidents [1].
The breach underscores that even well‑maintained open‑source SDKs can become attack vectors, forcing developers to treat any keys or mnemonics processed through compromised packages as compromised and to rotate credentials promptly.
Coverage is mostly measured — 8 of 8 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 3 outlets · Jul 18, 2026 · How we report
Injective filed a transfer agent registration with the SEC to maintain on‑chain ownership records for tokenized securities.
No, the filing is pending and the SEC may request additional information before making a final determination.
No, the malicious package had zero downloads and was removed before any developers could use it, so no funds were at risk.
Injective deprecated the affected package versions, released clean replacements, and implemented additional protections for its npm supply chain.
The network can settle transactions in less than one second, allowing ownership updates to occur almost instantly.